check_cert_cn translation
Alan DeKok
aland at deployingradius.com
Wed Oct 29 20:36:22 CET 2008
kas mataz wrote:
> We've noticed several people have posted their eap.conf for eap-tls
> troubleshooting, and that both the check_cert_issuer and check_cert_cn
> are commented out. In these configurations is freeradius just checking
> for the certificate in the crl list and that the proper CA root is in
> the CA_file on the freeradius server?
>
> What is gained by using check_cert_cn?
Some sanity checking. It's common across many different RADIUS servers.
> When we have check_cert_cn enabled it seems that the User-Name is
> translated differently from different types of devices. When a test user
> with an iPhone tries to connect he receives errors, but the same
> certificate on a Microsoft Vista wireless client is successfully
> authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1.
> Which file controls the User-Name translation?
Nothing. It's the client device that is responsible for sending the
EAP identity (which gets copied to the User-Name). If the client device
does it wrong... the user won't be authenticated.
This is actually a significant problem for more than just EAP-TLS.
I'm in the process of updating RFC4282. The changes should help guide
implementors as to what to do.
Alan DeKok.
More information about the Freeradius-Users
mailing list